Web Application Firewalls (WAFs) like Cloudflare, AWS WAF, and others protect web applications by filtering and monitoring HTTP traffic. However, discovering the origin IP address behind these protective layers can be crucial during security assessments. This guide outlines various techniques to identify origin IPs.
Before attempting to bypass a WAF, first confirm its presence:
# Get the IP address
dig +short example.com
# Check the organization
curl -s https://ipinfo.io/IP | jq -r '.org'Common WAF Indicators:
- AWS WAF: Look for "AWSLB" and "AWSLBCORS" cookies
- Cloudflare: Organization info will indicate Cloudflare, Inc.
- Other WAFs may have specific signatures or response headers
Historical DNS records often reveal IPs used before WAF implementation:
-
SecurityTrails DNS History
- Visit: https://securitytrails.com/domain/example.com/dns
- Export historical A records
- Extract IPs:
grep -E -o "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" dns_history.txt | sort -u > potential_ips.txt
-
DNS Dumpster
- Use https://dnsdumpster.com to generate network maps
- Look for non-WAF IP addresses in the results
Development or staging environments often lack proper WAF protection:
# Find subdomains and their IPs
subfinder -silent -d example.com | dnsprobe -silent | awk '{ print $2 }' | sort -u > subdomain_ips.txtFocus on subdomains like:
- dev.example.com
- staging.example.com
- test.example.com
- beta.example.com
Certificates often reveal all domains and IPs where they're deployed:
-
Censys Method:
- Search for certificates using your target domain
- Select "Certificates" in the input field and search for your domain
- Review each certificate and click "Explore" > "IPv4 Hosts"
- Collect all associated IPs
-
Shodan Method:
# Search by Common Name (CN) ssl.cert.subject.CN:"example.com" # Search in all certificate fields (broader) ssl:"example.com"Note: Verify results manually as they may include CDN/proxy IPs. SAN (Subject Alternative Name) fields are generally more reliable than CN.
For each potential IP, test if it responds to the target hostname:
# Test single IP
curl -s -k -H "Host: example.com" https://POTENTIAL_IP/
# Test multiple IPs
for ip in $(cat potential_ips.txt); do
org=$(curl -s https://ipinfo.io/$ip | jq -r '.org')
title=$(timeout 2 curl -s -k -H "Host: example.com" https://$ip/ | pup 'title text{}')
echo "IP: $ip | Title: $title | Org: $org"
doneEmails from the target domain often contain internal IP information:
- Trigger emails from the target (register, password reset, newsletters)
- Examine email headers, particularly:
- Return-Path
- Received
- X-Originating-IP
Several tools automate origin IP discovery:
-
CloudFail:
git clone https://github.com/m0rtem/CloudFail.git cd CloudFail pip install -r requirements.txt python3 cloudfail.py -t example.com -
CloudFlair:
git clone https://github.com/christophetd/CloudFlair cd CloudFlair pip install -r requirements.txt python3 cloudflair.py example.com
After discovering potential origin IPs, verify them:
- Compare response content with the WAF-protected site
- Look for server fingerprints (headers, error pages)
- Check for administrative interfaces or panels not accessible via WAF
- Combine multiple techniques for better results
- Document all discovered IPs and their verification status
- Check IP ranges belonging to the organization
- Consider timing your requests to avoid rate limiting
- Navisec: A Pentester's Guide - Unmasking WAFs and Finding the Source
- Detectify: Bypassing Cloudflare WAF with the Origin Server IP Address
Enhanced and reformatted for HowToHunt repository by remonsec